The present invention relates to improvements in the systems and methods for communicating in an environment including at least one secure tunnel (such as is sometimes referred to as Internet Protocol Security or xe2x80x9cIPSecxe2x80x9d herein and in the industry and its standards activity). More particularly, the present invention relates to an improved system and method for performance enhancement for IPSec data traffic in an IP networking environment using a hardware based parallel process.
Communications systems involve a variety of devices which are connected to a data transmission network, often through a variety of conventional devices such as routers, switches and other components. As the networks have become larger, incorporating local area networks (LANs) and wide-area networks (WANs), these networks have become more complex and involve an increasing number of components. One of the largest networks is referred to as the Internet, a constantly-changing communications network including a large number of interconnected network devices or workstations.
In addition, many companies are now employing Internet technologies to build private intranets, enabling users in an organization to go beyond electronic mail and access critical data through web browsers. While Intranet traffic is currently composed primarily of text, graphics and images, this traffic is expected to expand in the near term to include more bandwidth-intensive audio, video, voice and multimedia applications.
As applications proliferate and demand ever greater shares of bandwidth at the desktop and as the total number of users continues to grow, the pressure for increased bandwidth will continue to grow at the desktop, the server, the hub, and the switch. Organizations will need to migrate critical portions of their networks to higher bandwidth technologies, such as Gigabit Ethernet, Fast Ethernet, Gigabit Token-Ring, and High Speed Token Ring.
Communications on the Internet presents additional problems because of the size of the network and because communications are not handled in a uniform mannerxe2x80x94a first packet between two devices may be sent over one route and a completely different path may be used for a second packet, even when both packets are part of the same message. Furthermore, the Internet is inherently unsecure. As security techniques are defined to add security to the Internet, these techniques often conflict with the techniques which have been in common use.
As organizations such as the Internet Engineering Task Force (IETF) define techniques for reducing the security exposures of Internet communications, security concepts such as IP Security (IPSec) have been proposed. IPSec is a developing standard for security at the network or packet processing layer of network communications. Earlier security approaches inserted security at the application layer of the communications model. IPSec is especially usefuil for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPSec is that security arrangements can be handled without requiring changes to individual user computers. IPSec provides two choices of security service: Authentication Header (AH), which allows authentication of a sender of data, and Encapsulating Security Payload (ESP) which supports both authentication of the sender and, encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected such as the ISAKMP/Oakley protocol.
Tunneling or encapsulation is a common technique in packet-switched networks. It consists of wrapping a packet in a new one. That is, a new header is attached to the original packet. The entire original packet becomes the payload of the new one. In general, tunneling is used to carry traffic of one protocol over a network that does not support that protocol directly. For example, NetBIOS or IPX can be encapsulated in IP to carry it over a Transmission Control Protocol/Internet Protocol (TCP/IP) wide area network (WAN) link. In the case of IPSec, IP is tunneled through IP for a slightly different purpose, i.e., to provide total protection, including the header of the encapsulated packet. If the encapsulated packet is encrypted, an intruder cannot figure out the destination address of that packet. Without tunneling the intruder could. The internal structure of a private network can be concealed in this manner.
A notable advantage of IP tunneling is the possibility to exchange packets with private IP addresses between two intranets over the public Internet, which requires globally unique addresses. Since the encapsulated header is not processed by the Internet routers, only the end points of the tunnel (the gateways) need to have globally assigned addresses; the hosts and the intranets behind them can be assigned private addresses. As globally unique IP addresses are becoming a scarce resource, this interconnection method gains importance.
IPSec can be configured to create tunnels in two modes:
1. Tunnel modexe2x80x94in which the protocol data unit (PDU) is encapsulated within another IP frame and an outermost IP address is added. This address is the address of the tunnel termination device.
2. Transport modexe2x80x94in which the PDU is not encapsulated and the existing (outermost) IP address is used. This address is the address of the tunnel termination device.
Note that in IPSec terminology, the word tunnel is used to describe both a mode of operation, i.e., tunnel mode (a new header is created to encapsulate the original IP frame), or transport mode (no new header is created).
Traffic which uses the IP security extensions (commonly known as IPSec) to IP Protocol version 4 (IPv4) and later versions such as IP version 6 (IPv6) require very significant processing for key exchanges and for encryption and de-encryption. This large processing requirement significantly reduces system performance. In practice, IPSec data traffic will be intermixed with other data traffic, requiring the network layer to determine if the frame is an IP frame and then have the IP layer determine if the frame is an IPSec frame, and if so, perform the additional processing required prior to the normal IP processing.
It is an object of the present invention to provide a system and method for the enhanced processing of IPSec and non-IPSec data frames in data traffic having both types of data frames intermixed using a hardware-based parallel process.
It is another object of the present invention to perform preprocessing of incoming data frames using a hardware assist component for IPSec data frames to reduce the average processing time of inbound data traffic having intermixed data frames.
It is another object of the present invention to perform postprocessing of outbound data traffic using a hardware assist component for IPSec data frames to reduce the average processing time of outbound data traffic having intermixed data frames.
These and other objects and advantages of the present invention are achieved by the present invention in which data frames including security extensions are processed initially by the same hardware and software that is used to process data frames without a security extension. Outbound traffic using IPSec security extensions are encrypted and encapsulated using a hardware IPSec assist component before transmission through an IPSEC outbound tunnel, such as is used in Virtual Private Networks (VPNs). This encryption and encapsulation is referred to as postprocessing and is processing intensive. Inbound traffic using security extensions is decapsulated and decrypted using the hardware IPSec assist component after reception through an IPSec inbound tunnel. This decapsulation and decryption is referred to as preprocessing and is also processing intensive. The present invention utilizes a hardware function performed in the data link control layer and described in co-pending application xe2x80x9cPerformance Enhancement for IPSec Traffic for Network Interface Connectionsxe2x80x9d to determine if a received frame is an IP frame requiring IPSec processing, and if it is, to place the IPSec frame on a separate receive queue for subsequent inbound processing. The present invention further utilizes the hardware function to determine if a frame to be transmitted is an IP frame requiring IPSec outbound processing, and if it is, places the IPSec frame on a separate transmit queue for subsequent outbound processing. To determine if an IP frame is an IPSec frame, the type field in the Medium Access Control (MAC) header and the protocol field in the IP header are examined at the data link control layer. Once IPSec and non-IPSec traffic are separated into different receive or transmit queues, the processor handles the non-IPSec traffic, while the IPSec traffic is processed in parallel by a hardware IPSec assist component which performs the IPSec functions of encryption, decryption, Security Association (SA) management and key exchange.